@sap/cds 5.5.5 → 5.6.3

package/libx/rest/RestAdapter.js

@@ -0,0 +1,101 @@
+const cds = require('../_runtime/cds')
+
+const express = require('express')
+
+const auth = require('./middleware/auth')
+const content = require('./middleware/content')
+const parse = require('./middleware/parse')
+
+const create = require('./middleware/create')
+const read = require('./middleware/read')
+const update = require('./middleware/update')
+const deleet = require('./middleware/delete')
+const operation = require('./middleware/operation')
+
+const error = require('./middleware/error')
+
+// REVISIT: _commit_attempted workaround to avoid double rollback leading to release error
+const _commit_attempted = Symbol()
+
+class RestAdapter extends express.Router {
+  constructor(srv) {
+    super()
+
+    this.use(express.json())
+
+    // pass srv-reated stuff to middlewares via req
+    this.use('/', (req, res, next) => {
+      req._srv = srv
+      next()
+    })
+
+    // check @requires as soon as possible (DoS)
+    this.use('/', auth)
+
+    // content-type check
+    this.use('/', content)
+
+    // parse
+    this.use('/', parse)
+
+    // begin tx
+    this.use('/', (req, res, next) => {
+      // create tx and set as cds.context
+      // REVISIT: _model should not be necessary
+      req._tx = cds.context = srv.tx({ user: req.user, req, res, _model: req._srv.model })
+      next()
+    })
+
+    // POST
+    this.post('/*', (req, res, next) => {
+      if (req._operation) operation(req, res, next)
+      else create(req, res, next)
+    })
+
+    // GET
+    this.get('/*', (req, res, next) => {
+      if (req._operation) operation(req, res, next)
+      else read(req, res, next)
+    })
+
+    // PUT, PATCH, DELETE
+    this.put('/*', update)
+    this.patch('/*', update)
+    this.delete('/*', deleet)
+
+    // end tx (i.e., commit or rollback)
+    this.use('/', async (req, res, next) => {
+      const { result, status, location } = req._result
+
+      // unfortunately, express doesn't catch async errors -> try catch needed
+      try {
+        req._tx[_commit_attempted] = true
+        await req._tx.commit(result)
+      } catch (e) {
+        return next(e)
+      }
+
+      // TODO: cf. bufferToBase64() in old rest adapter
+
+      // only set status if not yet modified
+      if (status && res.statusCode === 200) res.status(status)
+      if (location) res.set('location', location)
+      res.send(result)
+    })
+    this.use('/', (err, req, res, next) => {
+      // request may fail during processing or during commit -> both caught here
+
+      // ignore rollback error, which should never happen
+      if (req._tx && !req._tx[_commit_attempted]) req._tx.rollback(err).catch(() => {})
+
+      next(err)
+    })
+
+    /*
+     * error handling
+     */
+    this.use(error)
+  }
+}
+
+module.exports = RestAdapter

package/libx/rest/RestRequest.js

@@ -0,0 +1,30 @@
+const cds = require('../_runtime/cds')
+
+class RestRequest extends cds.Request {
+  constructor(args) {
+    super(args)
+
+    // REVISIT: should not be necessary
+    /*
+     * propagate _ (i.e., req._ and, hence, req._.req/res)
+     * -> in the old adapters this is also set in OdataRequest/RestRequest
+     */
+    Object.setPrototypeOf(this._, cds.context._)
+
+    /*
+     * new req.res api [work in progress -> not official]:
+     * - req.res.status(202)
+     * - req.res.set('location', '/Books/301')
+     * this way is $batch compatible, i.e., the status and headers can be set on "subresponse"
+     */
+    this._status = null
+    this._headers = {}
+    const that = this
+    this.res = {
+      status: s => (that._status = s),
+      set: (k, v) => (that._headers[k] = v)
+    }
+  }
+}
+
+module.exports = RestRequest

package/libx/rest/index.js

@@ -0,0 +1,3 @@
+const RestAdapter = require('./RestAdapter')
+
+module.exports = srv => new RestAdapter(srv)

package/libx/rest/middleware/auth.js

@@ -0,0 +1,22 @@
+const { UNAUTHORIZED, FORBIDDEN } = require('../../_runtime/common/utils/auth')
+
+const { getRequiresAsArray } = require('../../_runtime/common/utils/auth')
+
+module.exports = (req, res, next) => {
+  if (!req._srv._requires) req._srv._requires = getRequiresAsArray(req._srv.definition)
+
+  const { _requires: requires } = req._srv
+
+  if (req.path !== '/' && requires.length > 0 && !requires.some(r => req.user.is(r))) {
+    // > unauthorized or forbidden?
+    if (req.user._is_anonymous) {
+      if (req.user._challenges) res.set('WWW-Authenticate', req.user._challenges.join(';'))
+      // REVISIT: security log in else case?
+      throw UNAUTHORIZED
+    }
+    // REVISIT: security log?
+    throw FORBIDDEN
+  }
+
+  next()
+}

package/libx/rest/middleware/content.js

@@ -0,0 +1,15 @@
+const PPP = { POST: 1, PUT: 1, PATCH: 1 }
+const UPDATE = { PUT: 1, PATCH: 1 }
+
+module.exports = (req, res, next) => {
+  if (PPP[req.method]) {
+    if (req.headers['content-type'] && req.headers['content-type'] !== 'application/json') {
+      throw { statusCode: 415, code: '415', message: 'INVALID_CONTENT_TYPE_ONLY_JSON' }
+    }
+    if (UPDATE[req.method] && Array.isArray(req.body)) {
+      throw { statusCode: 400, code: '400', message: `INVALID_${req.method}` }
+    }
+  }
+
+  next()
+}

package/libx/rest/middleware/create.js

@@ -0,0 +1,40 @@
+const cds = require('../../_runtime/cds')
+const { INSERT } = cds.ql
+
+const RestRequest = require('../RestRequest')
+
+const _error4 = rejected =>
+  rejected.length > 1 ? { message: 'MULTIPLE_ERRORS', details: rejected.map(r => r.reason) } : rejected[0].reason
+
+module.exports = async (_req, _res, next) => {
+  const { _srv: srv, _query: query, _target, _data } = _req
+
+  let result, location
+
+  // unfortunately, express doesn't catch async errors -> try catch needed
+  try {
+    // add the data
+    query.entries(_data)
+    if (query.INSERT.entries.length > 1) {
+      // > batch insert
+      const reqs = query.INSERT.entries.map(
+        entry => new RestRequest({ query: INSERT.into(query.INSERT.into).entries(entry), _target })
+      )
+      const ress = await Promise.allSettled(reqs.map(req => srv.dispatch(req)))
+      const rejected = ress.filter(r => r.status === 'rejected')
+      if (rejected.length) throw _error4(rejected)
+      result = ress.map(r => r.value)
+    } else {
+      // > single insert
+      const req = new RestRequest({ query, _target })
+      result = await srv.dispatch(req)
+      location = `../${req.entity.replace(srv.name + '.', '')}`
+      for (const k in req.target.keys) location += `/${result[k]}`
+    }
+  } catch (e) {
+    return next(e)
+  }
+
+  _req._result = { result, status: 201, location }
+  next()
+}

package/libx/rest/middleware/delete.js

@@ -0,0 +1,20 @@
+const RestRequest = require('../RestRequest')
+
+module.exports = async (_req, _res, next) => {
+  const { _srv: srv, _query: query, _target, _params } = _req
+
+  // unfortunately, express doesn't catch async errors -> try catch needed
+  try {
+    const req = new RestRequest({ query, _target })
+
+    // req.data is filled with keys during read and delete
+    if (_params) req.data = _params[_params.length - 1]
+
+    await srv.dispatch(req)
+  } catch (e) {
+    return next(e)
+  }
+
+  _req._result = { result: null, status: 204 }
+  next()
+}

package/libx/rest/middleware/error.js

@@ -0,0 +1,56 @@
+const cds = require('../../_runtime/cds')
+
+// requesting logger without module on purpose!
+const LOG = cds.log()
+
+let _i18n
+const i18n = (...args) => {
+  if (!_i18n) _i18n = require('../../_runtime/common/i18n')
+  return _i18n(...args)
+}
+
+const { normalizeError, isClientError } = require('../../_runtime/common/error/frontend')
+
+const _log = err => {
+  const level = isClientError(err) ? 'warn' : 'error'
+  if ((level === 'warn' && !LOG._warn) || (level === 'error' && !LOG._error)) return
+
+  // replace messages in toLog with developer texts (i.e., undefined locale)
+  const _message = err.message
+  const _details = err.details
+  err.message = i18n(err.message || err.code, undefined, err.args) || err.message
+  if (err.details) {
+    const details = []
+    for (const d of err.details) {
+      details.push(Object.assign({}, d, { message: i18n(d.message || d.code, undefined, d.args) || d.message }))
+    }
+    err.details = details
+  }
+
+  // log it
+  LOG[level](err)
+
+  // restore
+  err.message = _message
+  if (_details) err.details = _details
+}
+
+// eslint-disable-next-line no-unused-vars
+module.exports = (err, req, res, next) => {
+  const { _srv: srv } = req
+
+  // invoke srv.on('error', function (err, req) { ... }) here in special situations
+  let ctx = cds.context
+  if (!ctx) {
+    // > error before req was dispatched
+    ctx = new cds.Request({ req, res: req.res, user: req.user || new cds.User.Anonymous() })
+    for (const each of srv._handlers._error) each.handler.call(srv, err, ctx)
+  }
+
+  // log the error (4xx -> warn)
+  _log(err)
+
+  const { error, statusCode } = normalizeError(err, req)
+
+  res.status(statusCode).send({ error })
+}

package/libx/rest/middleware/operation.js

@@ -0,0 +1,39 @@
+const { validateReturnType } = require('../../_runtime/cds-services/adapter/rest/utils/validation-checks')
+
+const RestRequest = require('../RestRequest')
+
+module.exports = async (_req, _res, next) => {
+  const { _srv: srv, _query: query, _operation: operation, _data: data } = _req
+
+  let result
+
+  // unfortunately, express doesn't catch async errors -> try catch needed
+  try {
+    const req = query
+      ? new RestRequest({ query, event: operation.name, data })
+      : new RestRequest({ event: operation.name.replace(`${srv.name}.`, ''), data })
+    result = await srv.dispatch(req)
+  } catch (e) {
+    return next(e)
+  }
+
+  if (!operation.returns) {
+    _req._result = { status: 204 }
+  } else {
+    // unfortunately, express doesn't catch async errors -> try catch needed
+    try {
+      // REVISIT: do not use from old rest adapter
+      // REVISIT: new impl should return instead of throwing to avoid try catch
+      validateReturnType(operation, result)
+    } catch (e) {
+      return next(e)
+    }
+
+    // REVISIT: still needed?
+    if (!operation.returns.items && Array.isArray(result)) result = result[0]
+
+    _req._result = { result }
+  }
+
+  next()
+}

package/libx/rest/middleware/parse.js

@@ -0,0 +1,90 @@
+const cds = require('../../_runtime/cds')
+const { INSERT, SELECT, UPDATE, DELETE } = cds.ql
+
+const { getDeepCopy } = require('../utils/data')
+
+const { where2obj } = require('../../_runtime/common/utils/cqn')
+
+module.exports = (req, res, next) => {
+  const { _srv: service } = req
+  const { model } = service
+
+  let query = cds.odata.parse(req.url, { service })
+
+  // parser always produces selects
+  const _target = (req._target = query.SELECT && query.SELECT.from)
+  if (!_target) return next()
+
+  // REVISIT: __target is the csn target definition
+  const {
+    __target: definition,
+    SELECT: { one }
+  } = query
+  delete query.__target
+
+  // REVISIT: hack for actions and functions
+  let operation, args
+  const last = _target.ref[_target.ref.length - 1]
+  if (last.operation) {
+    operation = last.operation
+    if (last.args) args = last.args
+    _target.ref.pop()
+  }
+
+  const unbound = _target.ref.length === 0
+
+  // query based on method
+  switch (req.method) {
+    case 'GET':
+      if (operation) {
+        // function
+        req._operation = operation = definition.kind === 'function' ? definition : definition.actions[operation]
+        if (!unbound) query = one ? SELECT.one(_target) : SELECT.from(_target)
+        else query = undefined
+      } else {
+        // read (nothing to do)
+      }
+      break
+    case 'POST':
+      if (operation) {
+        // action
+        req._operation = operation = definition.kind === 'action' ? definition : definition.actions[operation]
+        if (!unbound) query = one ? SELECT.one(_target) : SELECT.from(_target)
+        else query = undefined
+      } else {
+        // create
+        if (one) cds.error('POST not allowed on entity', { code: 400 })
+        query = INSERT.into(_target)
+      }
+      break
+    case 'PUT':
+    case 'PATCH':
+      if (!one) throw { statusCode: 400, code: '400', message: `INVALID_${req.method}` }
+      query = UPDATE(_target)
+      break
+    case 'DELETE':
+      if (!one) cds.error('DELETE not allowed on collection', { code: 400 })
+      query = DELETE.from(_target)
+      break
+    default:
+    // anything to do?
+  }
+  req._query = query
+
+  // REVISIT: query._data hack
+  // deep copy of body (incl. validations such as correct data type)
+  if ((query && (query.INSERT || query.UPDATE)) || (operation && operation.kind === 'action') || args) {
+    const [validations, copy] = getDeepCopy(args || req.body, operation || definition, model, req.method !== 'POST')
+    if (validations) throw validations
+    req._data = copy
+  }
+
+  // REVISIT: req.params as documented
+  for (let i = 0; i < _target.ref.length; i++) {
+    req._params = req._params || []
+    if (_target.ref[i].where) req._params.push(where2obj(_target.ref[i].where))
+    else req._params.push({})
+  }
+
+  next()
+}

package/libx/rest/middleware/read.js

@@ -0,0 +1,29 @@
+const RestRequest = require('../RestRequest')
+
+module.exports = async (_req, _res, next) => {
+  const { _srv: srv, _query: query, _target, _params } = _req
+
+  let result,
+    status = 200
+
+  // unfortunately, express doesn't catch async errors -> try catch needed
+  try {
+    const req = new RestRequest({ query, _target })
+
+    // req.data is filled with keys during read and delete
+    if (_params) req.data = _params[_params.length - 1]
+
+    result = await srv.dispatch(req)
+
+    // 204 or 404?
+    if (result === null && query.SELECT.one) {
+      if (_target.ref.length > 1) status = 204
+      else throw { code: 404 }
+    }
+  } catch (e) {
+    return next(e)
+  }
+
+  _req._result = { result, status }
+  next()
+}

package/libx/rest/middleware/update.js

@@ -0,0 +1,42 @@
+const cds = require('../../_runtime/cds')
+const { INSERT } = cds.ql
+
+const RestRequest = require('../RestRequest')
+
+const UPSERT_ALLOWED = !(cds.env.runtime && cds.env.runtime.allow_upsert === false)
+
+const { deepCopyObject } = require('../../_runtime/common/utils/copy')
+
+module.exports = async (_req, _res, next) => {
+  let { _srv: srv, _query: query, _target, _data, _params } = _req
+
+  let result,
+    status = 200
+
+  // unfortunately, express doesn't catch async errors -> try catch needed
+  try {
+    // if upsert it allowed, we need to catch 404 and retry with create
+    try {
+      // add the data (as copy, if upsert allowed)
+      query.with(UPSERT_ALLOWED ? deepCopyObject(_data) : _data)
+      // REVISIT: if PUT, req.method should be PUT -> Crud2Http maps UPSERT to PUT
+      result = await srv.dispatch(new RestRequest({ query, _target, method: _req.method }))
+      if (_params) Object.assign(result, _params[_params.length - 1])
+    } catch (e) {
+      if ((e.code === 404 || e.status === 404 || e.statusCode === 404) && UPSERT_ALLOWED) {
+        query = INSERT.into(query.UPDATE.entity).entries(
+          _params ? Object.assign(_data, _params[_params.length - 1]) : _data
+        )
+        result = await srv.dispatch(new RestRequest({ query, _target }))
+        status = 201
+      } else {
+        throw e
+      }
+    }
+  } catch (e) {
+    return next(e)
+  }
+
+  _req._result = { result, status }
+  next()
+}

package/libx/rest/utils/data.js

@@ -0,0 +1,65 @@
+const cds = require('../../_runtime/cds')
+
+const { deepCopyObject } = require('../../_runtime/common/utils/copy')
+const { checkKeys, checkStatic } = require('../../_runtime/cds-services/util/assert')
+const { MULTIPLE_ERRORS } = require('../../_runtime/common/error/constants')
+
+// this can be reused for flattening data on db layer, if necessary
+// const _getFlattenedCopy = (data, key, entity) => {
+//   const d = {}
+//   const prefix = key + '_'
+//   // TODO: ignore or preserve unknown?
+//   const matches = Object.keys(entity.elements)
+//     .filter(ele => ele.startsWith(prefix))
+//     .map(ele => ele.replace(prefix, ''))
+//   if (matches.length) {
+//     const current = data[key]
+//     for (const k of matches) if (current[k] !== undefined) d[prefix + k] = current[k]
+//     const nested = Object.keys(current).filter(k => current[k] && typeof current[k] === 'object')
+//     for (const k of nested) Object.assign(d, _getFlattenedCopy({ [prefix + k]: current[k] }, prefix + k, entity))
+//   }
+//   return d
+// }
+
+const _getDeepCopy = (data, definition, model, validations, skipKeys) => {
+  skipKeys || (definition.keys && validations.push(...checkKeys(definition, data)))
+  validations.push(...checkStatic(definition, data, true))
+
+  const d = {}
+  for (const k in data) {
+    const element = (definition.elements && definition.elements[k]) || (definition.params && definition.params[k])
+    if (!element) {
+      const { additional_properties } = cds.env.features
+      if (additional_properties === 'ignore' || !additional_properties) {
+        // ignore input (the default)
+      } else if (additional_properties === 'error') {
+        validations.push({ message: `Unknown property "${k}"`, code: 400 })
+      } else {
+        d[k] = data[k] && typeof data[k] === 'object' ? deepCopyObject(data[k]) : data[k]
+      }
+    } else if (element.isAssociation) {
+      d[k] = Array.isArray(data[k])
+        ? data[k].map(d => _getDeepCopy(d, model.definitions[element.target], model, validations))
+        : _getDeepCopy(data[k], model.definitions[element.target], model, validations)
+    } else if (element._isStructured) {
+      d[k] = _getDeepCopy(data[k], element, model, validations)
+    } else {
+      d[k] = data[k]
+    }
+  }
+  return d
+}
+
+const getDeepCopy = (data, definition, model, skipKeys) => {
+  const validations = []
+  const copy = Array.isArray(data)
+    ? data.map(d => _getDeepCopy(d, definition, model, validations, skipKeys))
+    : _getDeepCopy(data, definition, model, validations, skipKeys)
+  if (!validations.length) return [undefined, copy]
+  if (validations.length === 1) return [validations[0]]
+  return [Object.assign(new Error(MULTIPLE_ERRORS), { details: validations })]
+}
+
+module.exports = {
+  getDeepCopy
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "5.5.5",
+  "version": "5.6.3",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [
@@ -40,6 +40,9 @@
     }
   },
   "lint-staged": {
+    "libx/odata/odata2cqn/grammar.pegjs": [
+      "npm run pegjs:odata2cqn && git add libx/odata/odata2cqn/parser.js"
+    ],
     "{libx,tests/_runtime}/**/*.js": [
       "npx prettier --write"
     ]

package/server.js

@@ -40,16 +40,23 @@ module.exports = async function cds_server (options, o = { ...options, __proto__
   if (o.logger)    app.use (o.logger)                   //> basic request logging
   if (o.toggler)   app.use (o.toggler)                  //> feature toggler
 
+  // give uiflex a chance to plug into everything
+  if (cds.requires.extensibility) await require('./libx/_runtime/fiori/uiflex')() // REVISIT: later this should be a ext umbrella service
+
   // load specified models or all in project
   const csn = await cds.load (o.from||'*', {mocked:o.mocked})
-  cds.model = o.from = cds.linked (cds.compile.for.odata(csn))
+  const m = cds.linked(csn).minified()
+  cds.model = o.from = cds.linked (cds.compile.for.odata(m))
 
   // connect to essential framework services if required
-  const _init = o.in_memory && (db => cds.deploy(csn).to(db,o))
+  const _init = o.in_memory && (db => cds.deploy(m).to(db,o))
   if (cds.requires.db) cds.db =  await cds.connect.to ('db') .then (_init)
   if (cds.requires.messaging)    await cds.connect.to ('messaging')
   if (cds.requires.multitenancy) await cds.mtx.in (app)
 
+  // serve graphql
+  if (cds.env.features.graphql) serve_graphql(app)
+
   // serve all services declared in models
   await cds.serve (o.service,o).in (app)
   await cds.emit ('served', cds.services)               //> hook for listeners
@@ -113,6 +120,16 @@ const _app_serve = function (endpoint) { return {
 }}
 
 
+// register graphql router on served event
+function serve_graphql (app) {
+  cds.on('served', services => {
+    const GraphQLAdapter = require('./libx/gql/GraphQLAdapter')
+    app.use(new GraphQLAdapter(services, { graphiql: true }))
+    cds.log()("serving GraphQL endpoint for all services { at: '/graphql' }")
+  })
+}
+
+
 function cors (req, res, next) {
   const { origin } = req.headers
   if (origin) res.set('access-control-allow-origin', origin)
@@ -121,17 +138,22 @@ function cors (req, res, next) {
   next()
 }
 
-function correlate (req,_,next) {
-  if (!cds.context) cds.context = {}
-  const id = cds.context.id
-    || req.headers['x-correlation-id'] || req.headers['x-correlationid']
+function correlate (req, res, next) {
+  // derive correlation id from req
+  const id = req.headers['x-correlation-id'] || req.headers['x-correlationid']
     || req.headers['x-request-id'] || req.headers['x-vcap-request-id']
     || cds.utils.uuid()
-  cds.context.id = req.headers['x-correlation-id'] = id
+  // new intermediate cds.context, if necessary
+  if (!cds.context) cds.context = { id }
+  // guarantee x-correlation-id going forward and set on res
+  req.headers['x-correlation-id'] = id
+  res.set('x-correlation-id', id)
+  // guaranteed access to cds.context._.req -> REVISIT
   if (!cds.context._) cds.context._ = {}
   if (!cds.context._.req) cds.context._.req = req
   next()
 }
 
+
 // -------------------------------------------------------------------------
 if (!module.parent)  module.exports ({from:process.argv[2]})